New Windows Worm Inching Around Internet 706
helixcode123 writes "The Register is reporting a Windows Worm that
takes advantage of weak default passwords. This
looks pretty nasty, as it mucks with the registry
and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.
This is a problem? (Score:5, Interesting)
Anyone want to tell me why this is a problem? It forces the person to act, unlike a security posting about good passwords in an employee handbook.
The Most Open Security Hole.... (Score:5, Interesting)
But (more seriously), doesn't is just scare the hooey out of you that brute force password cracking is now running around as an autonamous virus on the Net???
Yeesh, I get the willies thinking of every user that I've told "you can't use password as the password".
Re:Thank you (Score:2, Interesting)
Now if people select password of password, thats a different issue.
This goes for any operating systems.
ummm.... (Score:4, Interesting)
BAD PASSWORD: it is based on your username
New UNIX password: jp821968i
BAD PASSWORD: it looks like a National Insurance number.
New UNIX password: rg78kn
BAD PASSWORD: is too simple
Yeh, nothing to do with the password system.
Ok, so that's how my linux box is setup (without post install configuration), why isn't windows setup this way?
It's about time... (Score:2, Interesting)
It's about time someone wrote a worm like this.
If it does enough damage, maybe people will learn, through aversive conditioning, not to use stupid passwords.
I once worked as an SA at a bank. I could guess 90% of peoples passwords in 3 tries. I'd say about 30% were the default "welcome". And the users would bitch (and occasionally get someone fired) if we told them to change them.
If it is clearly communicated that this thing is spread because of weak passwords, maybe people will wake up and start using real passwords.
Or is it just wishful thinking?
Symantec's hint (Score:5, Interesting)
LiveUpdate:
Virus Definitions released March 9
Norton AntiVirus Corp. Edition Defs Version: 50309h
Norton AntiVirus Corp. Edition Sequence Number: 21592
Total Viruses Detected: 63225
This is peculiar since Symantec does not post any regular updates to their AntiVirus software on the weekends.
They know something, definitely.
Re:What were those commons passwords in Hackers? (Score:2, Interesting)
Re:Microsoft's fault? (Score:5, Interesting)
not all shares are manually set.
if the admnistrator password is weak then the system can be comprimised this way with no shares being set (unless things have changed since NT4.0 that I don't know about.
Re:Microsoft's fault? (Score:3, Interesting)
Re:ummm.... (Score:3, Interesting)
Hint: look at your keyboard.
Re:This is a problem? (Score:5, Interesting)
Because it also installs a VNC server on the box and connects to a pre-defined list of 13 IRC servers, opening a big wide backdoor into the system.
I suppose you could argue that we don't know what their intentions are -- maybe they're gonna just connect to the box and fix things for the idiot admins, all nice like.
Re:Doh! (Score:5, Interesting)
To this day you can still connect to a Win98 share with smbclient and specify the users computer name as your computer name also (the -n switch) and win98 will not show when you are actually connected, it will complain about someone being connected if you attempt to shutdown but will not specify who is connected.
(I tried this trick with W2K and it was not fooled by the remote connection, unsure of other Win versions.) Of course connection logging on the Windows end is pretty much non existant so good luck trying to track someone down anyway.
Re:ummm.... (Score:2, Interesting)
Anyway, maybe it could have a very elementary test: things like "password" and its variants would be rejected, as would common derivations of the username. What might be a better idea was if when the user was asked to create / change a password, it had a section on choosing a *good* password. (And if your password was a 'common' bad one, it could explain why it's bad.)
yes, it's a problem (Score:5, Interesting)
Right, minimal damage, just a rebuild unless you want to trust a cracker's claim of minimal damage. Time, money all wasted. Ever tried to back up a windoze box? It's not like the useful files are all located in the user's home directory. Stuff gets lost, even with the best "migration" tools. I don't even want to think of the BSA accounting problem this will create at larger firms.
By the way, who let M$ off for this? They got server daemons running as ROOT, that can write anywhere? Oh yeah! And they have things so tied up that it's a pain in the ass to run anything but M$ crap? No resoponsibility for the monoculture of weak software on M$'s part is there? Burn, baby, burn, show'em what you are worth!
Choose your weapons...Uh, I pick Blame! (Score:3, Interesting)
Please tell me how it's MS's fault that people pick easy to guess passwords?
Some systems I haved used in the past have a built in list and/or password analyzer, for the purpose of forbidding use of easily predictable passwords. While users tend to hate what these methods limit them to, break-ins tend to be limited to those people they know.
You can't fault Microsoft for not including such a feature. Chances are, if Microsoft did build in such a feature, someone would be taking issue with it on slashdot.
A modest proposal:
Suggest Microsoft include the ability for the administrator to select a tool (yeah, I know they typically want you to use only Microsoft Brand stuff, hence the aforementioned 'issue') Does Microsoft accept advice from users, or do they only innovate buy buying up a company that already makes such a product, integrating it, then driving all competitors out of the market? (oops, I did it myself...)
Re:Microsoft's fault? (Score:5, Interesting)
Please tell me how it's not Microsoft's fault for making both partitions and the system directory shares by default. How the hell else would the worm get access to the StartUp folder? The people most vulnerable don't even know where that particular directory is, let alone how to share it.
Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).
Please tell me how it's not Microsoft's fault that XP doesn't even bother asking for a password for a new (admin!) user account unless the account is made the old-fashioned Win2k way.
The "shiney new" way XP handles user accounts by default is almost as bad as 95/98/Me. By default, all system users are listed at the log-in screen for you to pick. One of them has a password? Move on down to the next in the list. Odds are at least one of them doesn't have a password and yet has admin privileges.
True, no self-respecting XP user would have anything to do with the accounts script in the Control Panel, but the better method of dealing with user accounts is both counter-intuitive ("Performance and Maintenance?" But "User Accounts" is right there!) and practically hidden (Performance & Maintenance -> Administrative Tools -> Computer Management (Local) -> Local Users and Groups), at least as far as former 95/98/Me users are concerned.
No, this is a design flaw in XP, part of Microsoft's attempts to dumb down the NT kernel for the home user. Perhaps MSFT wouldn't have to spend so much money on patching these security holes if they instead spent a little capital on trying to educate users a little about (extremely) basic user accounts security. This current "security hole" has been around since NT 3.1 and hasn't been that much of a problem until Microsoft decided to give everybody admin rights by default.
Surprising (Score:2, Interesting)
Re:This is a problem? (Score:3, Interesting)
I ran into a vendor who by default installed SCO Xenix systems with a blank root password (so they could easily call in and provide support for the accounting application that they sold) and didn't inform the customer.
Better yet, the accounting app ran as root, so even guests had root access.
Better yet, the "locked down guest account" showed menu items 1-4 but prompted for 1-22. Item 22 was selectable, and was the utility menu including a shell prompt.
Better yet, the accounting system had a data file "passwords.txt" containing CSV usernames and passwords for every user account in the accounting system.
Doh! Doh! Doh! Doh! Doh! Doh! Doh! Doh!
This was five years ago, but still... EVERY one of their customers (except for the system I set a password on) is probably still vulnerable to the first person in the area with a war dialer.
Almost as bad: A community college that I attended required their secretarial staff to use on of the 40 pre-approved passwords provided on a list that was sent around the office.
Why do people hire these admins? (Score:5, Interesting)
How MS can "force" a person to choose a good pw? (Score:4, Interesting)
What it should do when it is about to install a service that could, theoretically, compromise the system is this (assuming the admin password has not yet been set):
The final thing would be for the OS to perform the same checks on a password when anyone wants to use the control panel tool to change it. Now the premise here is that the OS won't *FORCE* you to pick a good password, but if it made a user jump through hoops like this, you can bet your ass that there'd be WAAAAAAAY less problems with people who used MS products.
Of course, then what would the Linux and BSD zealots have left to bitch about?
This IS microsoft's fault (Score:1, Interesting)
Pick something easy, like a dictionary word, or something really short.
You'll see:
[nimmerge@costanza nimmerge]$ passwd
Changing password for user george.
Changing password for george
(current) UNIX password:
New password:
BAD PASSWORD: it is too short
New password:
BAD PASSWORD: it is based on a dictionary word
New password:
Now give me a valid reason why Microsoft can't require strong passwords by default?
Solution: Don't use weak passwords. (Score:5, Interesting)
Good for those Linux boxes! You're using a weak password.
First, the word you selected happened to be on your desk. Most likely it's a not-uncommon term in either English, your native language (if not English), or a technical term. Any good password cracker dictionary will include all three.
Second, any good password cracker is going to try variations on the words in its dictionary. Minor misspellings, appending numbers, or translation into l33t-speak. Trying every possible minor misspelling and l33t-speak variant is relatively cheap compared to searching the entire key space. Expect them to do it!
Any test the passwd filter is doing is likely based on an attack already in use by a password cracker. It would be nice if the program gave you a reason the password was rejected (I've had apparently random password rejected), but ultimately it doesn't matter. If the passwd filter doesn't like it, a cracking program probably will like it.
I'm curious. (Score:2, Interesting)
Weak XP (Score:5, Interesting)
Thats right. Usually all it takes to break in to a winXP box is to hit ctrl+alt+del x 2 and your back to the normal winNT login. Then type in Administrator, no password, and unless this person knows anything about windows, and often thats not enough, your in.
Add to that that all accounts made are Administrator by default, and DONT need passwords.
What REALLY hurts windows here is not being truely multiuser on a local machine. This can be felt when you try to lock down say a web kiosk, and as you edit the Local security policy, you can watch the system lock down around you, since you CANT change it on a per user basis.
Add to this things like the viral Xupiter, and windows is chock full of holes. And leaving a winXP box in non-admin node is almost worthless, because SO many programs require admin access rendering it a pain in the ass.
While in the article, the poster mentioned its not microsofts fault, it BLATENTLY is. Windows comes SO dumbed down, i have to spend hours locking it down, turning off all the annoying services and popups, etc. Not only that, it doesnt have a default to make sure you password is at least somewhat secure. The options DO exist. From a sys admin perspective, windows is a waste of time. They NEED to have a deafult "im not a dumb user" setting you choose at startup that will among other things, make sure your system is tight and passworded.
They also need to go truly multiuser, clean up permissions w/o making them useless, and make EACH local user have a SEPERATE security policy, with an emphasis on editing it when you first install.
To put thins in perspective, in a public user setting, you leave an XP box out for use for a week, and an OSX box, i guarentee you, even the most basic setup, the OSX box will be exactly how you installed it, with a bunch of crap on the desktop.
The windows box will have every spyware app on it, stuff deleted, etc, etc.
OH, Xupiter just installed itself again, i have to go...
Re:who's on first? (Score:5, Interesting)
chars.txt is a plain text file of any characters I'd like for them to use. This gives 54^8 (72,301,961,339,136) combinations. I leave out common typing mistakes like
Zero = uppercase o
One = lowercase L
One = uppercase i
I think 72 trillion combinations is slightly safer than top 100 common passwords, or words that show up in the short version of the common dictionary files.
I use this for our own internal passwords too, but at least I let people keep running it til they see something that pleases them. "Oh ya, that's one I'll remember." Just feel sorry for people just starting on our staff on password-change day..
-----
#!/usr/bin/perl
# Define our character sets here, leaving out difficult (similiar) characters
open (LIST, "/usr/users/security/chars.list");
@chars = <LIST>;
close (LIST);
$password = join("", @chars[ map { rand @chars } (1
$password =~ y/0-9A-Za-z//cd;
print "$password";
-----
Of course, for less secure applications, I've just used "no".. So, when someone asks "What's your password?", I just answer "no". They get pissed off, I take the keyboard, tap no[enter] real quick, and they wonder what I really typed.
BTW, for you copyright happy people out there, that join line was stolen from one of the O'Reilly books.. So, sue me.
Try a recent distro? (Score:3, Interesting)
Comes with more software than I've currently got loaded on my Windows machine, period. Office suite(s), games, usenet, web, mail, irc, packet sniffer, firewall, cd-burning,... I could go on, but at 4.6 gigs it's kinda scary
Anyway, your point again was?
Re:Weak XP (Score:2, Interesting)
But then again your entire argument is constructed on pure and utter ignorance of the basic facts so I guess I shouldn't have expected anything otherwise... though a retraction on your part would be nice.
J
P.S. If a sys admin can't lock down his box without being provided a "I'm not a dumb user" checkbox - doesn't it seem like the problem may not in fact have anything to do with Microsoft at all?
Re:Not default passwords... (Score:3, Interesting)
Re:who's on first? (Score:1, Interesting)
Great site for good passwords (Score:2, Interesting)
Then just use memory path tricks to store them in the old' grey matter, nuff said. I use the same rules every time for character substitution, so I don't have to remember the coded password, just the diceware phrase. Apply the coding, and there's the password.
My system (Score:2, Interesting)
What I do is I take the name of someone I know for every month of the year. I associate a date with them, like birthday, day i met them etc. Sounds stupid so far, but here's what I do next
I then associate the date with the current year and decide how to mess about with the numbers. Do i just take the date at face value, or do I use date seperatrs / . and - in some sort of combination and use them as mathematical operators to generate a number? What ever I decide to do I convert the number into hex (because some passwords require numbers) and then attach it to the name of the person concerned in what ever way I choose and voila, password generated. Keeo in mind that if you use the same combination of operators when the year changes, you password is not going to change a hell of a lot for corresponding months between the years
The beauty is I've told you my system and you can't figure out any of my passwords. Better yet, you don't actually need to remember your passwords, more likely you just need to remember the mathematical operators because names and birthdays should come off the otop of your head. I can't remember my slashdot password though, I chose that before my system. Thank goodness for cookies.